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• EP 0 638 184 B1 

Description 

Technical Field 

The invention relates to a data processing system comprising a plurality of computers interconnected through a 
local network, preferably in form of a ring network, said network being connected to a network adaptor which is able 
to receive all information on the network. 
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Background Art 

Such a network adaptor is able to measure the performance and the speed of the network, inter alia in order to 
evaluate whether the network is optimally structured. 

A ring network can be connected to a network server. The network server can comprise a network program ac- 
cessible for the users at each work station. Each user can furthermore have access to the logic drive of the network 
server, whereby the user can enter programs and data which can subsequently be read by another user without floppy 
disks being exchanged between the users. The network server can furthermore include a virus program accessible for 
the user of a work station so as to enable him to scan the local disk for virae. The user can carry out a virus scanning 
at regular intervals. A virus, if any, may, however, have infected a large number of work stations before being detected. 

20 Description of the Invention 

The object of the invention is to provide a data processing system of the above type, whereby a virus, if any, and 
computers infected thereby are detected far quicker than previously so as to limit the spreading of the virus. 

The data processing system according to the invention is characterised in that the network adaptor is connected 
25 to a computer which together with the adaptor can perform an assembling an d_ scanning of substantially all files on the 
network and carry out fl recogn ition of virus signatures , if any, in the files, ttiej^mputer connected to the adaptor having 
means for providing information on the place of origin of infected data, if any, as well as on the position to which said 
/infected data have been transmitted, and the computer connected to the adaptor comprising a neural network in form 
\of a program having means for recognizing the usual interchange of data resembling virae on the local network and 
30 for actuating an alarm if an unusual interchange of data resembling a virus, such as an unknown virus signature, is 
recognized. 

In addition according to the invention, the computer connected to the adaptor comprises means for transmitting a 
so-called "vaccine" to the computers optionally infected by said virus or said virae, said vac cine being implemented, 
by causing the computer connected to the adaptor to start a scanning on the infected computers by means of a program 
35 known per se for neutralizing said virus. 

Furthermore the neural network may according to the invention comprise neuron-like elements. 

Finally the neural network may according to the invention be composed of a Boltzmann machine. 
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Brief Description of the Drawings 

The invention is explained in greater detail below with reference to the accompanying drawings, in which 



Fig. 1 illustrates a data processing system according to the invention comprising a local network in form of a ring 
network connected to a number of computers, one of the computers being equipped with a particular network 
45 adaptor, 



Fig. 2 illustrates how a computer is infected and subsequently infects the network, 

Fig. 3 illustrates how an adaptor connected to the network can assemble packets of information circulating in the 
network in order to detect virae, if any, 

Fig. 4 illustrates a data processing system comprising a local network in form of a string network connected to a 
plurality of computers, one of said computers being equipped with a particular network adaptor, 

Fig. 5 illustrates a neuron for recognition of hitherto unknown virae, 

Fig. 6 illustrates a neural network comprising an input layer, an intermediate layer, and an output layer, and 
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Fig. 7 illustrate examples of hypercube multiprocessor structures, in which the data processing system according 
to the invention can be implemented. 

Best Mode tor Carrying Out the Invention 

5 ~~ 

The data processing system according to the invention comprises a plurality of computers 2 in form of personal 
computers interconnected through a local network in form of a ring network 1. A virus can infect a personal computer 
2 via a floppy disk 3 inserted in the computer 2 copying the program on the floppy disk 3. As a result the computer is 
infected by the virus in said program. The infected program can then be transferred via the network to one or several 
io of the remaining personal computers 2 connected to the network 1 . The virus is transferred when the program or the 
program file is divided into packets being transmitted in series via the ring network 1 . Each packet includes an address 
indicating the work station (the personal computer) receiving the packet. The packet circulates in the network 1 , and 
at the receiving work station the address is recognized whereafter the packet can be read by said station. This station 
is usually the only work station capable of reading the packet and subsequently marking said packet as read. Then 
15 the packet is retransmitted via the network 1 to the original work station which checks whether said packet has been 
read or not. In the affirmative, the packet can be emptied and marked empty. 

The network 1 is furthermore connected to a network server 5. Previously, the network server 5 included a program 
allowing the user to perform a virus scanning at regular intervals of the programs in the personal computer 2. Such a 
virus control is, however, encumbered with the drawback that a virus, if any, may be spread to a large number of work 
20 stations ol the data processing system before an alarm is activated. 

According to the invention, one of the work stations, viz. the work station 8, is connected to a particular network 
adaptor 7, such as an IBM trace and performance adaptor which is able to receive all information on the network 1. 
Such devices, also called scanners, are, for instance, evoked in document "Computer Security Journal, volume 7, NQ 
1, 1991, J. DAVID, pp. 53-59. The network adaptor 7 receives selected packets on the network, viz. only packets 
containing data of interest. The packets continue without delay to the receiving station. Then a TAP logic in the networ k 
adaptor 7 assembles the packets in files, cf. Fig. 3, for a, sr.a nnino, and detection of virus signatures , if any. The adaptor 
7 has been symbolized in Fig. 1 by means of a magnifying glass and is connected to the computer 8. The computer 8 
is able to scan the files and recognize virus signatures, if any. 

A program comprises a number of commands to an electronic data processing system. The commands are en- 
30 coded in hexadecimal codes easy to recognize. In this manner it is possible to compare the program with program 
signatures in order to ensure that said program signature is in fact a portion of the complete program. A virus is in fact 
a program and can therefore be recognized in the same manner. As far as a known virus is concerned all the files of 
an electronic data processing system can be scanned for the signature of said virus by the system performing a com- 
parison with said signature. If the signature is a portion of a file, said file may have been infected. A large number of 
programs are able to scan for known virus signatures. These programs render it possible to determine whether an 
electronic data processing system is infected by known virae. 
i When a virus is_detected, an alarm is instantaneously activated and a s o-called "vaccine" is transmitted to the 
^ personal computers having received infected information, which is possible because each packet in the ring network 
1 contains the addresses of the transmitting and the receiving stations of the information in question. The vaccine is 
^0 provided for instance by means of the program "Clean" sold by the company Mcafee. This program can erase or write 
over a virus program typically placed in front of or after the actual program. If the virus program is placed in front of 
the actual program, an indication can be provided after the erasing of or writing over said virus that the actual program 
does not start until later. A quick transmission of such a vaccine minimizes the spreading of the virus. The principle is 
particularly suited in connection with a ring network as the information packets pass the adaptor 7 during each running 
45 and are thereby detected as quickly as possible. 

The principle can, however, also be used in connection with a string network, cf. Fig. 4. All the work stations 2 
coupled in a string network 1 receive the same information. However, only the work station comprising an address 
corresponding to the receiving address can read the information. A TAP machine 11 is also connected to the string 
network. The TAP machine is equipped with a particular adaptor and can therefore also read the information. This 
50 adaptor can for instance be of the type spider analyzer 325-R version 2.1 sold by the company Spider Systems. The 
adaptor of the TAP machine 11 considers itself a receiving station for all the information packets although this is not 
the case. The adaptor has been set in a particular mode implying that it ignores the address and reads all the packets. 
The adaptor comprises a buffer in which the packets are stored. The buffer is emptied now and then, such as when it 
is full, or is about to be full. The buffer is emptied by means of network software. A plurality of packets corresponding 
55 to several files may optionally be transmitted at the same time. The network software converts the packets into a form 
readable by the operative system in question. In this manner the operative system can write the files in a disk or store 
them in the memory of the machine. 

The data processing system can be further developed so as also to be able to recognize a new virus and send a 
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vaccine to it. The further development is found in the fact that the work station 8 or 11 connected to the network adaptor 
in addition comprises a neural network in form of a program designed to distinguish between normal and abnormal 
interchange of data on the local network and to activate an alarm in case of an abnormal interchange of data in form 
of an unknown signature possibly corresponding to yet another unknown virus. 

The use of Neural Networks for detecting computer viruses has already been proposed in general lines in document 
SIGSAC Review, Fall 1 991 , USA, Vol. 9, NQ4 pp. 49-59, D. Guinier. 

The system utilizes the fact that far the most virae have certain common features. A machine reading from examples 
can therefore be programmed to detect far the most virae. Such a machine can for instance be a Hopfield network 
known per se or a Boltzmann machine being identical with a Hopfield network apart from one significant difference. 
When a unit in the network is to decide the succeeding function thereof, an arbitrary signal is programmed into the 
unit. This arbitrary signal "shakes" the network out of local optima in such a manner that it is possible to determine the 
globally best configurations. A surprising property of this network is that it is possible to determine a very simple relation 
between a predetermined weight factor and the global behaviour of the network although said network is very complex. 
The network can be presented to coherent in- and output signals and can thereby adjust the individual weight factors 
and consequently adapt the behaviour of the network to the desired behaviour. As a result, a gradual improvement 
takes place of the behaviour of the network. 

According to a particular, single case the neural network can be a perceptron. Such a perceptron is shown in Fig. 
5 and comprises one or several processing elements (neurons) in a layer. For the sake of simplicity, only one of these 
processing elements is described below, 

The perceptron of Fig. 5 comprises only one neuron and receives a plurality of input signals Xq, X 1t X 2 .... and 
transmits an output signal Y\ While programming the neuron, the correct output signal corresponding to the transmitted 
input signals is transmitted. The input signals are expressed by a vector X of the dimension N + 1 . X 0 has been set to 
1 Each signal X p of the vector X is weighed by a weight factor W p of a vector W also of the dimension N + 1 . The. 
output signal Y* is calculated as the sum of the products Xq W 0 ... X n W n corresponding to the vector product W • X. 
If this vector product exceeds 0, Y* is set to 1 or 0 corresponding to class 0 or 1 . Thus the neuron is able to place a 
predetermined vector in one out of two classes. Now the neuron is presented to a large number of various X, each X 
being of the class 0 or 1. During the programming, the neuron is provided with a vector X together with the correct 
class. As a result the neuron can adjust its weight factors according to the formula 

— new — old • — 
W W *(Y-Y').X, 



where Y represents the correct class of the input signal vector X in question, and Y* represents the output signal (W 
• X) of the neuron This formula is called the programming instructions and indicates how the weight factors of the 
35 neuron are adjusted 

A perceptron compri sing, one of more neurons can be used for recognizing a pattern, such as a virus signature. A 
perceptron for recognizing a virus signature includes preferably at least two neurons. It is assumed that a virus signature 
has a maximum length of m hexadecimal figures of 8 bits. A hexadecimal figure of 8 bits can assume 256 various 
values. The input signal vector X must then have the dimension m • (256 + 1). All possible combinations of virus 
40 signatures therefore result in various X -vectors. 

The data structure of the perceptron is indicated below in a Pascal-like syntax. 

Perceptron 
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Type 
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Figure value = 
Class = 
Input vector - 
Weight vector : 
Neuron - 



55 Perceptron : 



actual figure 
[0.1] 

array [1 ..m;0..256] of figure value 
array [1 ..m;0..256] of figure value 
position 

W: weight vector 
r. class 
Final post 
position 

Neuron 1: Neuron 
Neuron 2 : Neuron 
Final post 
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Initially W is set to be = 0.5. 

Two procedures must be provided, viz. one for calculating the product X • W, and one tor adjusting the weight 
factors in accordance with the programming instructions. 

Then the perceptron is presented to a large number of virus signatures as well as to a large number of signatures 
5 without virus. 

When the signature is a virus, the class for the neuron 1 must be 1. whereas the class for neuron 2 must be 0. 
When the signature is not a virus, the class for neuron 1 must be 0 whereas the class for neuron 2 must be 1 : i.e.: 

The signature is a virus : Neuron 1 . Y = 1 and Neuron 2.Y = 0. 

}0 The signature is not a virus : Neuron 1 . Y = 0 and Neuron 2.Y = 1 

After the supply of a virus signature, the weight factors of the neurons must be adjusted by means of the program- 
ming instructions until the perceptron has been stabilized such that the number of correct answers is no longer changed. 
When this is the case, no further adjustments are performed by means of the programming instructions. 

15 A perceptron implemented in this manner cannot only recognize known virae, but also unknown virae provided 

the signature thereof "resembles" the signature of the virae already presented to the perceptron. 

A new virus often resembles a known virus as many new virae are developed on the basis of known virae. A few 
virae are furthermore able to change the signature all the time by adding NOP's (no operation) to the signature. In 
other words the virus mutates. An NOP does not involve activity, and the functions of the virus remain unchanged. The 

?o signature of the virus is, however changed. In many cases the perceptron is also able to recognize such mutants as 
the insertion of NOP's has no decisive effect on the perceptron. 

Further details concerning the implementing of programming instructions in form of programming algorithms appear 
from the literature "Neurocomputing" by Robert Hecht-Nielsen published by Addison-Wesley Publishing Company. 
ISBN 0-201-09355-3 Reference is in particular made to paragraphs 3.3 and 3.4. 

25 A particular advantage by the data processing system according to the invention is that each user does not have 

to scan the programs in each personal computer. According to the invention, the network communication is instead 
scanned centrally 

The computers not or only seldomly transmitting on the network 1 , V can, however, be infected and must therefore 
be checked in a conventional manner by each user. 
30 Previously the problem applied to the lack of possibility of localizing the transmitting station having infected the 

network. The system according to the invention renders it possible to locate the station before the "traces" have been 
erased. 

The data processing system according to the invention is not limited to be used in connection with ring or string 
networks. Usually, it can be used in connection with hypercube multiprocessor structures for instance being charac- 

35 terised by having 2 n processors interconnected via an n-dimensional cubus, cf. Fig. 6 showing examples of hypercube 
structures. Reference is in this connection made to the literature "multiprocessors" by Daniel Tabak, Printice Hall Series 
in Computer Engineering, especially chapter 2. Each processor comprises direct and separate communication paths 
to N and other processors. These paths correspond to the edges of the cubus. Hypercube structures are implemented 
by Intel and Floting Point System indicating transfer speeds of 1 M bit/sec. 

to The data processing system according to the invention can also be used in connection with Switch network struc- 

tures and vector processors. In case of switch network structures, it can be necessary to use several network adaptors, 
each network adaptor being connected to a computer which together with the.adaptor carry out an assembling and 
scanning of files on the network. 



Claims 



1. A data processing system comprising a plurality of computers interconnected through a local network, in form of 
a ring network, said network being connected to a network adaptor which is able to receive all information on the 
network, characterised in that the network adaptor (7) is connected to a computer (8), which together with the 
adaptor (7) can perform an assembling and scanning of substantially all files on the network (1) and carry out a 
recognition of virus signatures, if any, in the files, the computer (8) connected to the adaptor (7) having means for 
p roviding information on the place of origin of infected data ; if any, a s well as on the position to which said infected 
data have been transmitted, and the computer (8) connected to the adaptor (7) comprising a neural network in 
form of a program having means for recognizing the usual interchange of data resembling virae on the local network 
(1) and for actuating an alarm if an unusual interchange of data resembling a virus, such as an unknown virus 
signature, is recognized. 
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A data processing system as claimed in claim 1 , characterised in that t he computer (8) connected to the adaptor 
(7) comprises means tor transmitting a so-called "vaccine" to the computers (8) optionally infected bv said virus 
or said virae , said vaccine being implemented by causing the computer (8) connected to the adaptor (7) to start a 
scanning on the infected computers (8) by means of a program known per se for neutralizing said virus. 



Patentanspruche 



1. Datenverarbeitungssystem mit einer Vielzahl von Computern, die durch ein lokales Netzwerk in Form eines Ring- 
netzwerks miteinander verbunden sind, wobei das Netzwerk mit einem Netzwerkadaptor verbunden ist, der alle 
Informationen auf dem Netzwerk empfangen kann, dadurch gekennzeichnet, daG der Netzwerkadaptor (7) mit 
einem Computer (8) verbunden ist. der zusammen mit dem Adaptor (7) ein Zusammensetzen und Uberprufen 
bzw. Scannen von im wesentiichen alien Dateien auf dem Netzwerk (1) durchfuhren und eine Erkennung von 
Virussignaturen, falls vorhanden, in den Dateien ausfuhren kann ; wobei der mit dem Adaptor (7) verbundene 
Computer (8) eine Einrichtung aufweist zum Liefern von Informationen uber die Stelle des Ursprungs intizierter 
Daten, falls vorhanden, sowie uber die Stelle. zu der die infizierten Daten ubertragen worden sind, und der mit 
dem Adaptor (7) verbundene Computer (8) ein neuronales Netzwerk in Form eines Programms mit einer Einrich- 
tung zum Erkennen des gewohnlichen Austauschs von Viren ahnelnden Daten auf dem lokalen Netzwerk (1) und 
zum Auslosen eines Alarms aufweist, falls ein ungowohnlicher Austausch von einem Virus ahnelnden Daten, wie 
z.B. eine unbekannte Virussignatur, erkannt wird. 

2. Datenverarbeitungssystem nach Anspruch 1 , dadurch gekennzeichnet, daG der mit dem Adaptor (7) verbundene 
Computer (8) eine Einrichtung zum Ubertragen eines sogenannten "Impfstoffs" zu den Computern (8) aufweist. 
die wahlweise durch das Virus Oder die Viren infiziert sind, wobei der Impfstoff implementiert wird, indem man den 
mit dem Adaptor (7) verbundenen Computer (8) veranlaGt : ein Scannen auf den infizierten Computern (8) mittels 
eines an sich bekannten Programms zum Neutralisieren des Virus zu beginnen. 



Revendications 

1. Systeme de traitement de donnees comprenant une pluralite d'ordinateurs interconnects a travers un reseau 
local, en forme de reseau en boucle, ledit reseau etant relie a un adaptateur de reseau qui est capable de recevoir 
toutes les informations sur le reseau, caracterise en ce que I'adaptateur de reseau (7) est relie a un ordinateur (8) 
qui : avec I'adaptateur (7) ; peut realiser un assemblage et un balayage de substantiellement tous les fichiers sur 
le reseau (1) et effectuer une reconnaissance de signatures de virus, si certains sont presents dans les fichiers, 
I'ordinateur (8) relie a I'adaptateur (7) ayant des moyens adaptes pour fournir une information sur la place de 
I'origine de donnees contaminees, si necessaire : aussi bien que sur la position vers laquelle lesdites donnees 
contaminees ont ete transmises, et I'ordinateur (8) relie a I'adaptateur (7) comprenant un reseau de neurones sous 
la forme d'un programme ayant des moyens pour reconnaitre I'echange habituel de donnees ressemblant a des 
virus sur le reseau local (1) et pour actionner une alarme si un echange inhabituel de donnees ressemblant a un 
virus tel qu'une signature de virus inconnue est reconnu. 

2. Systeme de traitement de donnees selon la revendication 1 , caracterise en ce que I'ordinateur (8) relie a I'adap- 
tateur (7) comprend des moyens pour transmettre un denomme "vaccin" vers les ordinateurs (8) eventuellement 
contamines par ledit virus ou lesdits virus, ledit vaccin etant mis en oeuvre en commandant I'ordinateur (8) relie 
a I'adaptateur (7) pour commencer un balayage des ordinateurs contamines (8) au moyen d'un programme connu 
en soi pour neutraliser ledit virus. 
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